Meltdown and Spectre – The big CPU cyber security scare

What’s the easiest way to tell if a tech security issue is really worth worrying about?

We reckon there’s a relatively simple rule to follow when answering this question – it’s when the technology industry and authorities alike openly begin referring to a bug or vulnerability using a distinctly ominous sounding name.

Using this approach we can say beyond any doubt that the news today has delivered something of a ‘double whammy’ on the information security front with many major outlets, including the BBC, reporting the emergence of Meltdown and Spectre.

Now, if they aren’t labels to strike fear in to the heart of tech consumers everywhere then we don’t know what are! (That, or it’s a hotly tipped new duo about to drop the hottest grime track of 2018. You decide. – Ed.)

Are these new vulnerabilities really as scary as they sound though?

Well, it’s often easy just to write off the latest technology fear as yet another scare story which never actually results in the nightmarish outcomes predicted by doomsayers in the media. This has been the case amongst the public ever since the Millennium Bug failed to bring civilisation crashing down, leaving us all with large stocks of tinned food and a distinct feeling that the experts didn’t really know what they were talking about.

In an era now where shunning expert opinion seems to have become the norm though, we really do think the Meltdown and Spectre vulnerabilities warrant being taken seriously. The consequences of not doing so could be truly disastrous.

The main reason for this is the potential reach of the combined security vulnerabilities with Meltdown and Spectre affecting the global leaders in CPU computer chip production. Meltdown affects almost every desktop machine, laptop computer or cloud server using an Intel CPU, while the threat of Spectre could be even more widespread with smartphones, tablets and computers using CPUs produced by Intel, ARM and AMD potentially affected.

In short, just about everybody is likely to be at risk from one or the other (or both).

“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

Spectre – Not this one but just as scary.

There is therefore no limit to the type of data at risk on a machine when infected by a malicious application developed to target either the Meltdown or Spectre vulnerabilities. Highly sensitive data and credentials (passwords etc.) are potentially sitting ducks to cyber criminals if they are able to capitalise on the security flaws.

The good news is that the various technology giants supplying major operating systems globally will have been the first (non-malevolent actors at least) to have uncovered and been informed on the vulnerabilities, likely many months before the public became aware.

This means there has been time for security updates and patches to be developed and Microsoft, Apple, Linux and Google (Android OS) have confirmed they have already issued or will soon be issuing wide-ranging fixes. Despite this, it is also worth mentioning that when it comes to Microsoft Windows, the World’s most used operating system, that anyone using an OS older than Windows 10 will remain vulnerable as patches will not be issued for these.

There has been speculation amongst some tech insiders that the updates required to patch the holes that Meltdown and Spectre leverage will affect CPU performance – it’s even been suggested the discovery of these vulnerabilities will force a fundamental rethink on how CPUs are designed and made – although this is as yet unconfirmed.

The reality is though that nothing should be placed above the importance of data security in the here and now. So, if there’s one thing you take from this article let it be this (and excuse the shouty bold capitals but we think it warrants it):

ADMINS AND USERS ALIKE, APPLY YOUR SECURITY PATCHES. IF THEY’RE MADE AVAILABLE IT’S FOR A REASON. DO NOT PUT IT OFF.

This week saw a security alert surface around a potential vulnerability in the hugely popular Magento eCommerce platform, which could potentially allow cyber-attackers the crack in the armour they need to intercept and steal personal card details. Obviously this story in itself is enough to make online retailers sit up and take notice, and to read...

From tomorrow, 1st April 2015, VAT legislation on prompt payment discount (PPD) in the UK is changing. At present the VAT Prompt Payment Discounts rules state that supplier invoices must display the VAT amount proportional to the lowest discounted price offered on an invoice, regardless of whether the PPD is taken or not. To download...

Invoicing your customers within Sage 200 (and when doing business in general) is pretty much the goal of the sales order process – let’s face it, you’re not getting paid without those invoices going out – but for a long time now the absence of invoicing functionality from the core Financials module of the software...